Predator and CL could not provide any possible suspects.
Using Code Search for the file, "LayoutSelection.cpp" assigning to concern owner.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/3b6c0e0cda44ef86b480a3c9604417d78f6ac650

@yoichio -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Confirmed crash but not yet if it is from my patch.

My another patch will fix:
https://chromium-review.googlesource.com/c/607743

Issue 757286 has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 495551:495853.

Detailed report: https://clusterfuzz.com/testcase?key=5380163054600192

Fuzzer: ifratric-browserfuzzer-v3
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000008
Crash State:
  blink::CalcSelectionRangeAndSetSelectionState
  blink::LayoutSelection::Commit
  blink::LayoutView::CommitPendingSelection
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=494993:495037
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=495551:495853

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5380163054600192

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5380163054600192 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bbcefe73280faa1c5b52349df11f45906ce14d44

commit bbcefe73280faa1c5b52349df11f45906ce14d44
Author: Yoichi Osato <yoichio@chromium.org>
Date: Wed Aug 23 23:39:31 2017

Find last paintable LayoutObject w/o canonicalization.

This CL stops truncating end line wrapping in selection painting.
See LayoutTests/paint/invalidation/*.png diffs. We now paint end line
 wrapping if we select all text like "foo\n". Firefox also paints
 same.
By removing canonicalization, we also paint exact text w/o line wrapping
 if text doesn't contain line wrapping
(see editing/selection/range-between-block-and-inline.html).

Following is implement details.
This CL mainly changes loop process(L416-) and finding offsets(L438).
L416:
 |start_layout_object|: Move offset calculating later.
 |end_layout_object|: Assigned each last LayoutObject.
 If we find new last LayoutObject, we mark previous one as kInside.

L438:
 Define ComputeStart/EndOffset to compute each offset. We should
 return valid Optional<int> only if LayoutObject is text.

SelectionPaintRange::Iterator::Iterator:
 We use just |end_layout_object->NextInPreorder()| as stop object
 because now |end_layout_object| is exactly end object in LayoutTree.
This makes code much clean.

Bug:  739062 ,  756358 
Change-Id: Ibe4c07cc9b88fb7369b533db9eb6e0f974b2f3ae
Reviewed-on: https://chromium-review.googlesource.com/607743
Reviewed-by: Walter Korman <wkorman@chromium.org>
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Commit-Queue: Yoichi Osato <yoichio@chromium.org>
Cr-Commit-Position: refs/heads/master@{#496868}
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/paint/invalidation/selection-change-in-iframe-with-relative-parent-expected.txt
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/paint/invalidation/selection-clear-after-move-expected.txt
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/linux/editing/selection/range-between-block-and-inline-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/linux/editing/selection/replaced-boundaries-3-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/linux/paint/invalidation/delete-into-nested-block-expected.txt
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/linux/paint/invalidation/selection-partial-invalidation-between-blocks-expected.txt
[copy] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/linux/paint/invalidation/selection/invalidation-rect-with-br-includes-newline-expected.txt
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/linux/paint/selection/text-selection-inline-block-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/linux/paint/selection/text-selection-newline-clipped-by-overflow-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/linux/paint/selection/text-selection-newline-rtl-double-linebreak-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac-mac10.10/editing/selection/replaced-boundaries-3-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac-mac10.11/editing/selection/replaced-boundaries-3-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac-mac10.9/editing/selection/replaced-boundaries-3-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac-retina/editing/selection/replaced-boundaries-3-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/editing/selection/range-between-block-and-inline-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/editing/selection/replaced-boundaries-3-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/invalidation/delete-into-nested-block-expected.txt
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/invalidation/selection-partial-invalidation-between-blocks-expected.txt
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/invalidation/selection/invalidation-rect-includes-newline-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/invalidation/selection/invalidation-rect-includes-newline-for-rtl-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/invalidation/selection/invalidation-rect-includes-newline-for-vertical-lr-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/invalidation/selection/invalidation-rect-includes-newline-for-vertical-rl-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/invalidation/selection/invalidation-rect-with-br-includes-newline-expected.png
[copy] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/invalidation/selection/invalidation-rect-with-br-includes-newline-expected.txt
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/selection/text-selection-inline-block-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/selection/text-selection-newline-across-blocks-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/selection/text-selection-newline-br-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/selection/text-selection-newline-clipped-by-overflow-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/selection/text-selection-newline-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/selection/text-selection-newline-rtl-double-linebreak-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/selection/text-selection-newline-rtl-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/selection/text-selection-newline-span-across-line-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/selection/text-selection-newline-span-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/selection/text-selection-newline-vertical-lr-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/mac/paint/selection/text-selection-newline-vertical-rl-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/editing/selection/range-between-block-and-inline-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/editing/selection/replaced-boundaries-3-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/invalidation/delete-into-nested-block-expected.txt
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/invalidation/selection-partial-invalidation-between-blocks-expected.txt
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/invalidation/selection/invalidation-rect-includes-newline-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/invalidation/selection/invalidation-rect-includes-newline-for-rtl-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/invalidation/selection/invalidation-rect-includes-newline-for-vertical-lr-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/invalidation/selection/invalidation-rect-includes-newline-for-vertical-rl-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/invalidation/selection/invalidation-rect-with-br-includes-newline-expected.png
[rename] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/invalidation/selection/invalidation-rect-with-br-includes-newline-expected.txt
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/selection/text-selection-inline-block-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/selection/text-selection-newline-across-blocks-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/selection/text-selection-newline-br-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/selection/text-selection-newline-clipped-by-overflow-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/selection/text-selection-newline-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/selection/text-selection-newline-rtl-double-linebreak-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/selection/text-selection-newline-rtl-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/selection/text-selection-newline-span-across-line-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/selection/text-selection-newline-span-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/selection/text-selection-newline-vertical-lr-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/LayoutTests/platform/win/paint/selection/text-selection-newline-vertical-rl-expected.png
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/Source/core/editing/LayoutSelection.cpp
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/Source/core/editing/LayoutSelection.h
[modify] https://crrev.com/bbcefe73280faa1c5b52349df11f45906ce14d44/third_party/WebKit/Source/core/editing/LayoutSelectionTest.cpp